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GP (for Graph Programs) is a rule-based, nondeterministic programming language for solving graph 
problems at a high level of abstraction, freeing programmers from handling low-level data structures. 
The core of GP consists of four constructs: single-step application of a set of conditional graph- 
transformation rules, sequential composition, branching and iteration. We present a formal semantics 
for GP in the style of structural operational semantics. A special feature of our semantics is the use 
of finitely failing programs to define GP's powerful branching and iteration commands. 

1 Introduction 

This paper defines the semantics of GP, an experimental nondeterministic programming language for 
high-level problem solving in the domain of graphs. The language is based on conditional rule schemata 
for graph transformation (introduced in |[T6l ) and thereby frees programmers from handling low-level 
data structures for graphs. The prototype implementation of GP compiles graph programs into bytecode 
for the York abstract machine, and comes with a graphical editor for programs and graphs fTTl. 

GP has a simple syntax as its core contains only four commands: single-step application of a set of 
rule schemata, sequential composition, branching and as-long-as-possible iteration. Despite its simplic- 
ity, GP is computationally complete in that every computable function on graphs can be programmed 
im. A major goal of the GP project is the development of a practical graph-transformation language that 
comes with a concise formal semantics, to facilitate program verification and other formal reasoning on 
programs. Also, a formal semantics provides implementors with a rigorous definition of the language 
that does not depend on a compiler or machine. 

To define the meaning of GP programs, we adopt Plotkin's method of structural operational semantics 
|[T4]| . This approach is well established for imperative programming languages 1 131 but is novel in the 
field of graph transformation. In brief, the method consists in devising inference rules which inductively 
define the effect of commands on program states. Whereas a classic state consists of the values of all 
program variables at a certain point in time, the analogue for graph transformation is the graph on which 
the rules of a program operate. 

As GP is nondeterministic, our semantics assigns to a program P and an input graph G all graphs that 
can result from executing P on G. A special feature of the semantics is the use of failing computations 
to define powerful branching and iteration constructs. (Failure occurs when a set of rule schemata to 
be executed is not applicable to the current graph.) While the conditions of branching commands in 
traditional programming languages are boolean expressions, GP uses arbitrary programs as conditions. 
The evaluation of a condition C succeeds if there exists an execution of C on the current graph that 
produces a graph. On the other hand, the evaluation of C is unsuccessful if all executions of C on the 
current graph result in failure. In this case C finitely fails on the current graph. 

In logic programming, finite failure (of SLD resolution) is used to define negation [41. In the case 
of GP, it allows to "hide" destructive executions of the condition C of a statement if C then P else Q. 
This is because after evaluating C, the resulting graph is discarded and either P or 2 is executed on the 
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graph with which the branching statement was entered. Finite failure also allows to elegantly lift the 
application of as-long-as-possible iteration from sets of rule schemata (as in fT6l) to arbitrary programs: 
the body of a loop can no longer be applied if it finitely fails on the current graph. 

Control constructs which allow programmers to write "strategies" for applying rewrite rules have 
long been present in term-rewriting languages such as Elan 121 and Stratego Q. These languages allow 
recursive definitions of strategies whereas GP is based on a small set of built-in, non-recursive constructs. 
(See [ 19] for an extension of GP with recursive procedures.) 

Another difference between GP and languages such as Elan and Stratego is that strategies in the 
latter languages rely on the structure of the objects that they manipulate, that is, on the tree structure of 
terms. In both languages, term-rewrite rules are applied at the root of a term so that traversal operations 
are needed to apply rules and strategies deep inside terms. In contrast, the semantics of GP's control 
constructs does not depend on the structure of graphs and is completely orthogonal to the semantics 
of rule schemata. This provides a clear separation of concerns between rules and the control of rules, 
making it easy to adapt GP's semantics to different formats of rules or graphsQ 

The contributions of this paper can be summarised as follows: 

• A graph-transformation language with simple syntax and semantics, facilitating understanding by 
programmers and formal reasoning on programs. Our experience so far is that very often short 
and easy to understand programs can be written to solve problems on graphs (see ifTSll for various 
small case studies). 

• The first formal operational semantics for a graph-transformation language (to the best of our 
knowledge). Well-known languages such as AGG [6|, Fujaba [12] and GrGen [7] have no formal 
semantics. The only graph-transformation language with a complete formal semantics that we 
are aware of is PROGRES ifTSl . Its semantics, given by Schiirr in his dissertation jT/l . translates 
programs into control-flow diagrams and consists of more than 300 rules (including the definition 
of the static semantics) . 

• A powerful branching construct based on the concept of finite failure, allowing to conveniently 
express complex destructive tests on input graphs. In addition, finite failure enables an elegant 
definition of as-long-as-possible iteration. These definitions do not depend on the structure of 
graphs and can be used for string- or term-based rewriting languages, too. 

The rest of this paper is structured as follows. The next section reviews the graph-transformation 
formalism underlying GP, the so-called double-pushout approach with relabelling. Section [3] introduces 
conditional rule schemata as the building blocks of GP programs. In Section IH we discuss an example 
program for graph colouring and define the abstract syntax of graph programs. Section |5] presents our 
formal semantics of GP in the style of structural operational semantics. In Section [6l we conclude and 
mention some topics for future work. 

2 Graph Transformation 

We briefly review the model of graph transformation underlying GP, the double-pushout approach with 
relabelling [9]. Our presentation is tailored to GP in that we consider graphs over a fixed label alphabet, 
and rules in which only the interface may contain unlabelled nodes. 

GP programs operate on graphs labelled with sequences of integers and strings. (The reason for using 
sequences will become clear in Section HI) To formalise this, let Z be the set of integers and Char be a 

'in the extreme, one could even replace the underlying formalism of graph-transformation with some other rule-based 
framework, such as string or term rewriting. 
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finite set of cfiaracters — we may tliink of Char as tlie cliaracters tiiat can be typed on a keyboard. We fix 
the label alphabet = (ZUChar*)+ consisting of all nonempty sequences made up from integers and 
character strings. 

A partially labelled graph over ^ (or graph for short) is a system G = (VcEcSctcJc'^G)^ where 
Vg and Eg are finite sets of nodes (or vertices) and edges, sgJg- Eg ^ Vg are the source and target 
functions for edges, Ig- Vg ^ ^ is the partial node labelling function and niQ : Eg ^ ^ is the (total) 
edge labelling function. Given a node v, we write Ig{v) =-L to express that Ig{v) is undefined. Graph G 
is totally labelled if Iq is a total function. 

The set of all totally labelled graphs over ^ is denoted by 5^. GP programs operate on the graphs 
in ^, unlabelled nodes occur only in the interfaces of rules (see below) and are necessary in the double- 
pushout approach to relabel nodes. There is no need to relabel edges as they can always be deleted and 
reinserted with changed labels. 

A graph morphism g: G ^ H between graphs G and H consists of two functions gy: Vg ^ Vh 
and gE '■ Eg — )■ En that preserve sources, targets and labels (that is, sh ogE = 8v ° ^G^ tH ° gE = 8v ° tG, 
niH °gE = fnc, and ///(g(v)) = Ig{v) for all v such that Ig{v) t^-L)- Morphism g is an inclusion if g{x) = x 
for all nodes and edges x. It is injective if gy and gE are injective. 

A rule r = {L K ^ R) consists of two inclusions K ^ L and K ^ R where L and R are totally 
labelled graphs. Graph K is the interface of r. Intuitively, an application of r to a graph will remove the 
items in L — i^, preserve K, add the items in R — K, and relabel the unlabelled nodes in K. Given a graph 
G in W, an injective graph morphism g: L — )• G is a match for r if it satisfies the dangling condition: no 
node in g{L) — g{K) is incident to an edge in G — g{L). In this case G directly derives the graph H inW 
that is constructed from G as follows H 

1. Remove all nodes and edges in g{L) — g{K). 

2. Add disjointly all nodes and edges from R — K, keeping their labels. For e £ Er — Ek, sh {e) is 
SR{e) if SR{e) € Vs — Vk, otherwise gv{sji{e)). Targets are defined analogously. 

3. For each node vinK with Ik{v) = -L, Inigviv)) becomes Ir{v). 

We write G =>r,g H (or just G H) if G directly derives H as above. 

Figure [T] shows an example of a direct derivation. The rule in the upper row is applied to the left 
graph of the lower row, resulting in the right graph of the lower row. For simplicity, we do not depict 
edge labels and assume that they are all the same. The node identifiers 1 and 2 in the rule specify the 
inclusions of the interface. The middle graph of the lower row is an intermediate result (omitted in 
the above construction). This diagram represents a double-pushout in the category of partially labelled 
graphs over 

To define conditional rules, we equip rules with predicates that restrict sets of matches. A conditional 
rule q = {r,P) consists of a rule r and a predicate P on graph morphisms. Given totally labelled graphs 
G, H and a match g: L — )■ G for <7, we write G =>^,g H (or just G H) if P{g) holds and G =^r,g EI. For 
a set of conditional rules we write G =>,^ H if there is some ^ in ^ such that G H. 

3 Conditional Rule Schemata 

A GP program is essentially a list of declarations of conditional rule schemata together with a command 
sequence for controlling the application of the schemata. Rule schemata generalise rules in that labels 
can contain expressions over parameters of type integer or string. In this section, we give an abstract 



■^See (9) for an equivalent definition by graphi pushiouts. 
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1 2 12 1 2 



4^ J' 4' 




Figure 1 : A direct derivation 

syntax for the textual components of conditional rule schemata and interpret them as sets of conditional 
rules. 

Figure [2] shows an example for the declaration of a conditional rule schema. It consists of the iden- 
tifier bridge followed by the declaration of formal parameters, the left and right graphs of the schema 
which are labelled with expressions over the parameters, the node identifiers 1, 2, 3 determining the 
interface of the schema, and the keyword where followed by the condition. 



bridge(a,b,x,y,z: int) a + b 




12 3 12 3 



where a >= and b >= and notedge(l,3) 



Figure 2: A conditional rule schema 

In the GP programming system fTPl, rule schemata are constructed with a graphical editor. Figure 
|3] gives a grammar in Extended Backus-Naur Form for node and edge labels in the left and right graph 
of a rule schema (categories LeftLabel and RightLabel)Jl Labels can be sequences of expressions sepa- 
rated by underscores, as will be demonstrated by Example [T] in Section HI We require that labels in the 
left graph must be simple expressions because their values at execution time are determined by graph 
matching. All variable identifiers in the right graph must also occur in the left graph. Every expression 
in category Exp has type int or string, where arithmetical operators expect arguments of type int and 
the type of variable identifiers is determined by their declarations. 

The condition of a rule schema is a boolean expression built from expressions of category Exp and 
the special predicate edge, see Figure |4] Again, all variable identifiers occurring in the condition must 



■'The grammars in Figure[3]and Figure|4]are ambiguous, we use parentheses to disambiguate expressions where necessary. 
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= SimpleExp ['_' LeftLabel] 

= Exp ['_' RightLabel] 

= ['-'] Num I String | Varld 

= SimpleExp | Exp ArithOp Exp 

= '+' I '_' I I '/' 

= Digit {Digit} 



RightLabel 
SimpleExp 
Exp 

ArithOp 

Num 

String 



{Char} ' " ' 



Figure 3: Syntax of node and edge labels 



BoolExp ::= edge '(' Node ',' Node ')' | Exp RelOp Exp 
[ not BoolExp I BoolExp BoolOp BoolExp 



Node ::= Digit {Digit} 

RelOp ::= '=' | '\=' | '>' | '<' | '>=' | '<=' 

BoolOp ::= and | or 



Figure 4: Syntax of conditions 



also occur in the left graph of the schema. The predicate edge demands the (non-)existence of an 
edge between two nodes in the graph to which the rule schema is applied. For example, the expression 
not edge(l, 3) in the condition of Figure |2] forbids an edge from node 1 to node 3 when the left graph is 
matched. 

We interpret a conditional rule schema as the (possibly infinite) set of conditional rules that is ob- 
tained by instantiating variables with any values and evaluating expressions. To define this, consider a 
declaration D of a conditional rule-schema. Let L and R be the left and right graphs of D, and c the 
condition. We write Var(Z)) for the set of variable identifiers occurring in D. Given x in Var(D), type(;c) 
denotes the type associated with x. An assignment is a mapping a : Var(D) — )• (Z U Char*) such that for 
each X in Var(D), type(x) = int implies a{x) G Z, and type(x) = string implies a{x) G Char*. 

Given a label / of category RightLabel occuring in D and an assignment a, the value /" G ^ is 
inductively defined. If / is a numeral or a sequence of characters, then /" is the integer or character string 
represented by / (which is independent of a). If / is a variable identifier, then = «(/). Otherwise, I" 
is obtained from the values of /'s components. If / has the form ei ©^2 with © in ArithOp and ei,e2 in 
Exp, then Z" = ©z^" where ©^ is the integer operation represented by ©0 If / has the form ejn with 
e in Exp and m in RightLabel, then /" = e^m" (the concatenation of and m"). Note that our definition 
of covers all labels in D since LeftLabel is a subcategory of RightLabel. 

The value of the condition c in D not only depends on an assignment but also on a graph morphism. 
For, if c contains the predicate edge, we need to consider the structure of the graph to which we want to 
apply the rule schema. Consider an assignment a and let L" be obtained from L by replacing each label 
/ with Let ^ : L" — > G be a graph morphism with G Then for each Boolean subexpression b of 
c, the value b"'^ in IB = {tt, f f } is inductively defined. If b has the form e\ ixi 62 with 1x1 in RelOp and 
61,62 in Exp, then b"-^ = tt if and only if tXz ^2 where oo^ is the relation on integers represented by 

*For simplicity, we consider division by zero as an implementation-level issue. 
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CO. If b has the fomi notbi with bi in BoolExp, then b'^'^ = tt if and only if b"'^ = it. If b has the 
form bi (Bb2 with © in BoolOp and bi,b2 in BooIExp, then b"'^ = ft"'^ ©b^" ^ where ©b is the Boolean 
operation on B represented by ©. A special case is given if b has the form edge(v,H') where v,w are 
identifiers of interface nodes in D. We then have 



tt if there is an edge from g(v) to g{w), 
ff otherwise. 



Let now r be the rule-schema identifier associated with declaration D. For every assignment a, let 
r" = (L" ^ K ^ R" , P") be the conditional rule given as follows: 

• L" and /?" are obtained from L and R by replacing each label I with I". 

• A" is the discrete subgraph of L and R determined by the node identifiers for the interface, where 
all nodes are unlabelled. 

• P" is defined by: P"{g) if and only if g is a graph morphism ^ G such that G £ and 
c«'« = tt. 

The interpretation of r is the rule set I(r) = {r" | a is an assignment}. For notational convenience, we 
sometimes denote the relation =>i(^) by =^,-. Note that I(r) is a (possibly infinite) set of conditional rules 
in the sense of Section |2l grounding rule schemata in the theory of the double-pushout approach with 
relabelling [9l. 

For example, the upper rows of Figure |5] show the rule schema bridge of Figure |2] (without con- 
dition) and its instance bridge'', where a(x) = 0, o;(y) = a(z) = 1, a(a) = 3 and a(b) = 2. The 
condition c of bridge evaluates to the predicate P" which is true for a match g of the left-hand graph 
if and only if there is no edge from ^(1) to g(3). (The subexpressions a >= and b >= evaluate to 
tt and hence can be ignored.) The lower rows of Figure |5] show an application of bridge" by a graph 
morphism satisfying P". 



a + b 



Schema: ( x — — ^(V^) — z 

2 



Instance: 




2 



3 2 

y—M 1 






Figure 5: Application of a rule schema using instantiation 
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4 Graph Programs 

We start by discussing an example program for graph colouring. 

Example 1 (Computing a 2-colouring). A colouring for a graph is an assignment of colours (integers) 
to nodes such that the source and target of each edge have different colours. A graph is 2-colourable 
(or bipartite) if it possesses a colouring with at most two colours. The program 2-colouring in Fig- 
ure |6] generates a 2-colouring for nonempty, connected input graphs without loops if such a colouring 
exists — otherwise the input graph is returned. The program consists of five rule-schema declarations, the 
macro colour representing the rule-schema set {colourl, colour2}, and the main command sequence 
following the key word main. 



main = choose; colour!; if illegal then undo! 
colour = {colourl, colour2} 



choose(x: int) illegal(a, i,x,y : int) 




colour2(a, i,x,y : int) 




Figure 6: The program 2-colouring 

Given an integer-labelled input graph, the program first uses the rule schema choose to pick any 
node and replace its label x with xJd. The underscore operator allows to add a tag to a label, used 
here to add colours to labels. In general, a tagged label consists of a sequence of expressions joined by 
underscores. After the first node has been coloured, the command colour ! applies the rule schemata 
colourl and colour2 nondeterministically as long as possible to colour all remaining nodes. In each 
iteration of the loop, an uncoloured node adjacent to an already coloured node v gets the colour in {0, 1} 
that is complementary to v's colour. If the input graph is connected, the graph resulting from colour ! 
is correctly coloured if and only if the rule schema illegal is not applicable. The latter is checked 
by the if-statement. If illegal is applicable, then the input must contain an undirected cycle of odd 
length and hence is not 2-colourable (see for example [10]). In this case the loop undo ! removes all tags 
to return the input graph unmodified. Note that the number of rule-schema applications performed by 
2-colouring is linear in the number of input nodes. 

To make 2-colouring applicable to graphs that are possibly empty or disconnected, we can insert 
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a nested loop: 

main = (choose; colour!)!; if illegal then undo!. 

Now if the input graph is empty, choose fails which causes the outer loop to terminate and return the 
current (empty) graph. On the other hand, if the input consists of several connected components, the 
body of the outer loop is repeatedly called to colour each component. 

Figure|7]shows the abstract syntax of GP programs]! A program consists of a number of declarations 
of conditional rule schemata and macros, and exactly one declaration of a main command sequence. The 
rule-schema identifiers (category Ruleld) occurring in a call of category RuleSetCall refer to declarations 
of conditional rule schemata in category RuleDecl (see Section O. Semantically, each rule-schema 
identifier r stands for the set I(r) of conditional rules induced by that identifier. A call of the form 
{ri , . . . , r„} stands for the union |J"=i K''')- 

Prog ::= Decl {Decl} 

Decl ::= RuleDecl | MacroDecl | MainDecl 

MacroDecl ::= Macrold '=' ComSeq 

MainDecl ::= main ComSeq 

ComSeq ::= Com{';'Com} 

Com ::= RuleSetCall | MacroCall 

I if ComSeq then ComSeq [else ComSeq] 

I ComSeq'!' 

I skip I fail 

RuleSetCall ::= Ruleld | '{' [Ruleld {',' Ruleld}] '}' 
MacroCall ::= Macrold 

Figure 7: Abstract syntax of GP 

Macros are a simple means to structure programs and thereby to make them more readable. Every 
program can be transformed into an equivalent macro-free program by replacing macro calls with their 
associated command sequences (recursive macros are not allowed). In the next section we use the terms 
"program" and "command sequence" synonymously, assuming that all macro calls have been replaced. 

The commands skip and fail can be expressed through the other commands (see next section), 
hence the core of GP includes only the call of a set of conditional rule schemata (RuleSetCall), sequential 
composition (';'), the if-then-else statement and as-long-as-possible iteration ('!'). 

5 Semantics of Graph Programs 

We present a formal semantics of GP in the style of Plotkin's structural operational semantics HTM . As 
usual for this approach, inference rules inductively define a small-step transition relation — on configu- 
rations. In our setting, a configuration is either a command sequence together with a graph, just a graph 
or the special element fail: 

^ C (ComSeq X ^) X ((ComSeq x^)U^U {fail}). 



^Where necessary we use parentheses to disambiguate programs. 
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Configurations in ComSeq x ^ represent unfinished computations, given by a rest program and a state in 
tlie form of a grapli, while graphs in W are proper results of computations. In addition, the element fail 
represents a failure state. A configuration / is terminal if there is no configuration 5 such that 5. 

Each inference rule in Figure [8] consists of a premise and a conclusion separated by a horizontal 
bar. Both parts contain meta-variables for command sequences and graphs, where R stands for a call in 
category RuleSetCall, C,P,P',Q stand for command sequences in category ComSeq and G,H stand for 
graphs in W. Given a rule-set call R, let !(/?) = U{I('') | is a rule-schema identifier in R} (see Section 
|3]for the definition of l{r)). The domain of =>i(r), denoted by Dom(^j(^)), is the set of all graphs G in 
such that G ^i(r) H for some graph H. Meta-variables are considered to be universally quantified. 
For example, the rule [Calli] should be read as: "For all R in RuleSetCall and all G,H in G =^i(r) H 
imphes {R, G) H." 

Figure [8] shows the inference rules for the core constructs of GR We write — )•+ and — )•* for the 
transitive and reflexive-transitive closures of — >. A command sequence C finitely fails on a graph G G 
if (1) there does not exist an infinite sequence (C, G) {Ci,G\) — )■ ... and (2) for each terminal 
configuration 7 such that (C, G) — )•* Y, Y = fail. In other words, C finitely fails on G if all computations 
starting from (C, G) eventually end in the configuration fail. 

{R,G)^H G) ^ fail 

[ScQ,1 {P^G)^{P' H) {P,G)^H 
^^"'liJ {P-Q,G)^{P'-Q,H) ^^"'i^J {P;Q,G)^{Q,H) 



[Seqs] 



(P, G) fail 
(P;e,G) ^fail 



(C, G) ^+ H . , C finitely fails on G 



P^^] (if C then p'else Q, G) {P, G) ^^^^^ (if C then P else Q, G) {Q, G) 

r., . (P,G)^+H r A > 1 ^ finitely fails on G 

[^l^Pi] {Pl,G) U{P\,H) t^l^P2] {P\,G)^G 



Figure 8: Inference rules for core commands 

The concept of finite failure stems from logic programming where it is used to define negation as 
failure H. In the case of GR we use it to define powerful branching and iteration constructs. In particular, 
our definition of the if-then-else command allows to "hide" destructive tests. 

Example 2 (Recognizing series-parallel graphs). A graph is series-parallel if it reduces to a graph con- 
sisting of two nodes and an edge between them by the following two operations [T, 31: (1) Replace a 
pair of parallel edges by an edge from their source to their target. (2) Given a node v with exactly one 
incoming edge e\ and exactly one outgoing edge £2 such that the source of e^ and the target of e2 are 
distinct, replace ei, e2 and v by an edge from the source of ei to the target of ^2- 

Suppose that we want to check whether a connected, integer-labelled graph G is series-parallel and, 
depending on the result, execute either a program P or a program Q on G. We can do this with the 
program 

main = if {par, seq}!; base then P else 2 
whose rule schemata par, seq and base are shown in Figure |9l The subprogram {par, seq}! applies 
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as long as possible the operations (1) and (2) to the input graph G, then the rule schema base checks if 
the resulting graph consists of two nodes connected by an edge. Graph G is series-parallel if and only 
if base is applicable to the reduced graph. (Note that {par, seq}! preserves connectedness and that, by 
the dangling condition, base is applicable only if the images of its left-hand nodes have degree one.) It 
is important to note that by the inference rules [Ifi] and [Hi], the main program executes P or Q on the 
input graph G whereas the graph resulting from the test is discarded. 



par(a,b,x,y: int) 




seq(a,b,x,y,z: int) 




1 2 12 



base(a, x,y: int) 




Figure 9: Rule schemata for recognizing series-parallel graphs 

The meaning of the remaining GP commands is defined in terms of the meaning of the core com- 
mands, see Figure [TOl We refer to these commands as derived commands. 

[Skip] (skip, G) (r, G) 

where r is an identifier for the rule schema 

[[Fail] (fail,G)^({},G) 

[Ifs] (if C then P, G) (if C then P else skip, G) 

Figure 10: Inference rules for derived commands 

We can now summarise the meaning of GP programs by a semantic function [_]] which assigns to 
each program P the function [Pj mapping an input graph G to the set of all possible results of running P 
on G. The result set may contain, besides proper results in the form of graphs, the special value _L which 
indicates a nonterminating or stuck computation. The semantic function |_]] : ComSeq ^ (5^ ^ 2^'-'^-^^) 
is defined bjj^ 

|p]G = {// G ^ [ (P, G)^H} U {_L I P can diverge or get stuck from G} 

where P can diverge from G if there is an infinite sequence (P, G) — )• (Pi , Gi ) (Pz, G2) and P 

can get stuck from G if there is a terminal configuration {Q, H) such that (P, G) — )•* {Q, H). 



^We write |P]]G for the application of to a graph G. 
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Note that {PJG = if and only if P finitely fails on G. In Example [2l for instance, we have 
[[{par, seq}!; basejG = for every connected graph G containing a cycle. This is because the graph 
resulting from {par, seq}! is still connected and cyclic, so the rule schema base is not applicable. 

A program can get stuck only in two situations: either it contains a subprogram if C then P else Q 
where C both can diverge from some graph and cannot produce a proper result from that graph, or it con- 
tains a subprogram B! where the loop's body B possesses the said property of C. The evaluation of these 
subprograms will get stuck because the inference rules for branching and iteration are not applicable. 



6 Conclusion 

GP is an experimental rule-based language for high-level problem solving in the domain of graphs, 
freeing programmers from handling low-level data structures. The hallmark of GP is syntactic and 
semantic simplicity. Conditional rule schemata for graph transformation allow to express application 
conditions and computations on labels, in addition to structural changes. The semantics of rule schemata 
is orthogonal to the semantics of control constructs, making it easy to change the format of rules or 
graphs. 

The operational semantics of programs describes the effect of GP's control constructs in a natural 
way and captures the nondeterminism of the language. In particular, powerful branching and iteration 
commands have been defined using the concept of finite failure. Destructive tests on the current graph 
can be hidden in the condition of the branching command, and nested loops can be coded since arbitrary 
subprograms can be iterated as long as possible. 

Future extensions of GP may include recursive procedures for writing complex algorithms (see |[T9l ). 
and a type concept for restricting the shape of graphs. Our goal is to support formal reasoning on graph 
programs by developing static analyses for properties such as termination and confluence (uniqueness of 
results), and a calculus and tool support for program verification. 
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